All Products
Search
Document Center

Cloud Firewall:Best practices to defend against worms from C&C servers

Last Updated:Jun 20, 2024

Worms are a major threat to services in the cloud. Worms exploit server vulnerabilities to spread over networks and carry out malicious operations on compromised servers. Worm attacks pose serious threats to the assets and business of users. Cloud Firewall provides layered defense against the attack chains of worms and can detect and intercept a variety of worms. Cloud Firewall also dynamically updates and expands its capabilities to detect and intercept new worms based on threat intelligence from the cloud.

Impact of worms

The following issues may occur due to worm attacks:

  • Service interruption: Worms may carry out malicious operations, such as modifying configurations or terminating services, on compromised servers. This may cause risks, such as server breakdown or service interruption.

  • Information theft: Worms that aim to steal information compress data on compromised servers and send the compressed data to attackers. This may cause data breaches and resource abuse.

  • Regulatory control: When worms spread over a network, worms send a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.

  • Economic or data loss: Ransomware worms encrypt files on compromised servers for ransom, which can cause economic or data loss.

Solution provided by Cloud Firewall

Cloud Firewall provides layered defense against the attack chains of worms and can detect and intercept a variety of worms. Cloud Firewall also dynamically updates and expands its capabilities to detect and intercept new worms based on threat intelligence from the cloud.

The following list describes common worms:

  • DDG: spreads by exploiting Redis vulnerabilities and by launching brute-force attacks. This worm uses the computing resources on compromised servers to mine cryptocurrency.

  • WannaCry: spreads by exploiting Windows system vulnerabilities and compromises servers for ransom.

  • BillGates: spreads by exploiting application vulnerabilities and by launching brute-force attacks. This worm builds a botnet of compromised servers to launch DDoS attacks.

Case: DDG worm

DDG is an active worm that spreads by exploiting Redis vulnerabilities and by launching brute-force attacks. Compromised servers are added to a botnet to mine cryptocurrency.

Impact scope of DDG

  • Servers that use weak SSH passwords

  • Redis or other database servers for which specific vulnerabilities exist

Major impact of DDG

  • Service interruption: DDG mines cryptocurrency on compromised servers, during which a large number of computing resources on the servers are occupied. This may affect service availability or cause service interruption.

  • Regulatory control: When DDG spreads over a network, DDG sends a large number of packets. This may trigger regulatory control on IP addresses, which results in service interruption. For example, IP addresses may be blocked.

Defense against the DDG attack chain

Cloud Firewall detects and defends against the DDG attack chain in real time. This way, worms are blocked and are prevented from spreading.

Cloud Firewall provides the following intrusion prevention features:

  • Whitelist: Cloud Firewall trusts the source and destination IP addresses that you specify in the whitelist and does not block the traffic of these IP addresses.

  • Threat intelligence: Cloud Firewall scans your servers for threat intelligence and blocks malicious behavior from C&C servers based on the threat intelligence.

  • Basic protection: Cloud Firewall detects malware and intercepts the requests sent to or received from C&C servers or backdoors.

  • Virtual patching: Cloud Firewall provides virtual patches to defend your services against popular high-risk application vulnerabilities in real time.

Procedure

  1. Log on to the Cloud Firewall console.

  2. In the left-side navigation pane, choose Prevention Configuration > IPS Configuration.

  3. In the Threat Engine Mode section of the IPS Configuration page, select Loose for Block Mode.

  4. In the Advanced Settings section, click Whitelist. In the dialog box that appears, add trusted source IP addresses, destination IP addresses, or address books of both inbound and outbound traffic to a specific whitelist.

  5. In the Threat Intelligence section, turn on Threat Intelligence.

  6. In the Basic Protection section, turn on Basic Policies.

  7. In the Virtual Patches section, turn on Patches.

For more information about how to configure intrusion prevention features, see IPS configuration.